Description

Capture ethernet packets write to dump file with filtering DOS.

There are two phases to performing OS detection from a spoofed source, first creating a host and second performing a scan.

To create a host we have to exploit a well known vulnerability within Ethernet, MAC address spoofing. By spoofing a MAC address, a host can be created on the network. If the MAC address replies to ARP requests with a valid IP address the spoofed machine can be contacted over a network. This is the same method as how a virtual honeypot is created. A program selects a MAC address and spoofs a TCP/IP stack accordingly.

To perform a scan, packets need to be sent from the spoofed machine created in the first phase. This is done by spoofing the entire frame, e.g. MAC address, IP address, and TCP / UDP / ICMP packet headers. By sending packets from packets from this spoofed source and by also spoofing the TCP/IP stack we can effectively scan a machine from a spoofed source. The remote OS tests are the same ones as what nmap performs, with the added bonus of scanning from a spoofed MAC address.

Where does DHCP come into play? DHCP aids the attack by allowing spoofed machines to be created simply. By spoofing the DHCP packet exchange to assign a MAC address an IP address spoofed machines can be created. 200 machines can be created via DHCP and from there a target host may be port scanned and OS detection performed.

In addition to OS detection and port scanning, the gobbler can also perform trace route and ping functions from multiple spoofed sources.